In Depth
VoIP Security: When Voice Becomes Data
With voice over IP picking up speed, CSOs face the challenge of navigating an entirely new security threat landscape for the phone system
By Scott Berinato
complexity.) "It's extremely frustrating," Graydon says. "You sit there and go, 'Guys, you're doing it
again. Did you not learn the last time?'"
Only this time, the stakes are higher. If, say, instant messaging was rushed to satisfy market
demand without being properly secured or having its threats understood, that wasn't good. But what
were the expectations and assumptions about chat's security in the first place? Probably limited. With
voice, there are those culturally ingrained expectations. We even have a name for it: Dial-tone
reliability. Voice can't fail, we've come to expect that, and yet here's a technology rushing to market
that, so far, can't meet the expectation.
In a sense, vendors offering VoIP service are pushing a cake-and-eat-it-too agenda. They want
voice to have the power of data with the security of POTS, even if such a platform doesn't yet exist. So
they're left selling voice as another data type but also acknowledging that voice is special. "I say voice is
not data," says Lawrence Dobranski, the leader of product security architecture in the office of the CTO
at Nortel. "From a risk management perspective it has to be thought of differently. We're sharing voice
on data infrastructure, and that means the threat landscape is opened." That's a core point of this story.
"People bring an awful lot of expectations with voice. We have to make sure we get the security of VoIP
right, and that won't be easy; that will be difficult."
Gus de los Reyes, a technology consultant for AT&T Labs developing security capabilities for
VoIP services, is more sanguine. De los Reyes says he and the other AT&T Labs technology experts
can prevent his company's VoIP products from going to market if he feels a security control isn't ready,
and he says he's done that. He has the power to control the rush to market, so he doesn't even see a
rush to market. "There's a much greater awareness with VoIP than there was with things like e-mail.
Maybe too much awareness. People don't want to make the same mistakes with VoIP."
But it appears they are, as demonstrated by Pena's alleged scheme, which involved no fewer than
15 VoIP companies, startups without the kinds of controls in place that an old telecom company like
AT&T might have, and the emergence of all the other datalike threats to voice that VoIP has
enabled.
De los Reyes does eventually acknowledge that some companies will rush to market, but that's only
to sate demand coming from those who aren't considering the risks up front. For, none of this would be
voip
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- The Strategic Advantage of Cloud-Based Email and BlackBerry Services
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
